wshrat | d6fc2e70bf11cb4b1b12c63864458a3e9c9bb8ae8f5e37a50da90d4b88f8ece6

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2025, 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDER_INQUIRY002504.vbe
Size

8KB
MD5

5018141075d290e1bf838ceddeaa0fab
SHA1

37a5d96ff98bdb465b51b922b9e193916df70e7a
SHA256

d6fc2e70bf11cb4b1b12c63864458a3e9c9bb8ae8f5e37a50da90d4b88f8ece6
SHA512

228902cb60b168aee5522bd9696c38a5b21bc189b4b5f1ec00612cf12fc8ae96cc486e5ad7605623a511bdfd36cc4229fda38613a98f5ff6dd1b1f9dd1de09fb
SSDEEP

192:MbmQwm8r83b4x4a/Qw4uA/8r4aFE+g0aFK2ZSfgbDRbHYQwDQwrQwYjbv9F+QwHJ:ImQwmY8r4x4a/Qw4uA/Y4azg0aE2ZSfl

Score

10^/10

wshrat discovery execution persistence trojan

Malware Config

Extracted

Family

wshrat

http://chongmei33.myddns.rocks:7044

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat
Wshrat family
wshrat

Blocklisted process makes network request 64 IoCs

flow	pid	Process
1	976	WScript.exe
23	4008	wscript.exe
29	4008	wscript.exe
35	4008	wscript.exe
36	4008	wscript.exe
37	4008	wscript.exe
38	1512	wscript.exe
45	4008	wscript.exe
46	1512	wscript.exe
61	4008	wscript.exe
62	1512	wscript.exe
69	4008	wscript.exe
71	1512	wscript.exe
72	4008	wscript.exe
73	1512	wscript.exe
74	2148	wscript.exe
75	4008	wscript.exe
76	1512	wscript.exe
77	2148	wscript.exe
78	4008	wscript.exe
79	1512	wscript.exe
82	2148	wscript.exe
88	4008	wscript.exe
89	1512	wscript.exe
90	2148	wscript.exe
91	4008	wscript.exe
92	1512	wscript.exe
93	2148	wscript.exe
94	4500	wscript.exe
95	4008	wscript.exe
96	1512	wscript.exe
97	2148	wscript.exe
98	4500	wscript.exe
99	4008	wscript.exe
100	1512	wscript.exe
101	2148	wscript.exe
102	4500	wscript.exe
103	4008	wscript.exe
104	1512	wscript.exe
105	2148	wscript.exe
106	4500	wscript.exe
107	4008	wscript.exe
108	1512	wscript.exe
109	2148	wscript.exe
110	4500	wscript.exe
111	6072	wscript.exe
112	4008	wscript.exe
113	1512	wscript.exe
114	2148	wscript.exe
117	4500	wscript.exe
118	6072	wscript.exe
120	4008	wscript.exe
121	1512	wscript.exe
122	2148	wscript.exe
123	4500	wscript.exe
124	6072	wscript.exe
125	4008	wscript.exe
126	1512	wscript.exe
127	2148	wscript.exe
128	4500	wscript.exe
129	6072	wscript.exe
130	4008	wscript.exe
131	1512	wscript.exe
132	2148	wscript.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 15 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
4776	orroctl.exe

Adds Run key to start application 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	orroctl.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	WScript.exe

Script User-Agent 64 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	135	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	125	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	97	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	123	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	153	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	29	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	134	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	141	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	162	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	164	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	45	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	111	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	130	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	137	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	151	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	156	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	166	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	71	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	95	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	154	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	73	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	110	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	113	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	117	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	142	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	152	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	155	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	158	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	36	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	46	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	75	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	88	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	93	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	107	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	108	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	118	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	23	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	72	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	82	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	121	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	133	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	157	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	161	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	163	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	35	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	61	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	74	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	89	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	165	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	79	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	129	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	131	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	146	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	147	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	38	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	106	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	120	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	136	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	138	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	76	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	90	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	102	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	103	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	114	WSHRAT\|04912022\|LYFGOYQN\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 5472	976	WScript.exe	89
PID 976 wrote to memory of 5472	976	WScript.exe	89
PID 5472 wrote to memory of 1676	5472	WScript.exe	90
PID 5472 wrote to memory of 1676	5472	WScript.exe	90
PID 5472 wrote to memory of 4516	5472	WScript.exe	91
PID 5472 wrote to memory of 4516	5472	WScript.exe	91
PID 4516 wrote to memory of 4776	4516	WScript.exe	96
PID 4516 wrote to memory of 4776	4516	WScript.exe	96
PID 4516 wrote to memory of 4776	4516	WScript.exe	96
PID 1676 wrote to memory of 4008	1676	WScript.exe	97
PID 1676 wrote to memory of 4008	1676	WScript.exe	97
PID 4568 wrote to memory of 5044	4568	cmd.exe	98
PID 4568 wrote to memory of 5044	4568	cmd.exe	98
PID 4720 wrote to memory of 4940	4720	cmd.exe	99
PID 4720 wrote to memory of 4940	4720	cmd.exe	99
PID 912 wrote to memory of 1160	912	cmd.exe	116
PID 912 wrote to memory of 1160	912	cmd.exe	116
PID 3752 wrote to memory of 1908	3752	cmd.exe	118
PID 3752 wrote to memory of 1908	3752	cmd.exe	118
PID 2944 wrote to memory of 1620	2944	cmd.exe	119
PID 2944 wrote to memory of 1620	2944	cmd.exe	119
PID 2924 wrote to memory of 1188	2924	cmd.exe	120
PID 2924 wrote to memory of 1188	2924	cmd.exe	120
PID 2212 wrote to memory of 5944	2212	cmd.exe	121
PID 2212 wrote to memory of 5944	2212	cmd.exe	121
PID 3972 wrote to memory of 4052	3972	cmd.exe	122
PID 3972 wrote to memory of 4052	3972	cmd.exe	122
PID 2248 wrote to memory of 3940	2248	cmd.exe	123
PID 2248 wrote to memory of 3940	2248	cmd.exe	123
PID 5696 wrote to memory of 5728	5696	cmd.exe	124
PID 5696 wrote to memory of 5728	5696	cmd.exe	124
PID 3920 wrote to memory of 1596	3920	cmd.exe	133
PID 3920 wrote to memory of 1596	3920	cmd.exe	133
PID 5284 wrote to memory of 2160	5284	cmd.exe	134
PID 5284 wrote to memory of 2160	5284	cmd.exe	134
PID 4204 wrote to memory of 5992	4204	cmd.exe	141
PID 1288 wrote to memory of 2868	1288	cmd.exe	142
PID 1288 wrote to memory of 2868	1288	cmd.exe	142
PID 4204 wrote to memory of 5992	4204	cmd.exe	141
PID 1584 wrote to memory of 5672	1584	cmd.exe	147
PID 1584 wrote to memory of 5672	1584	cmd.exe	147
PID 6064 wrote to memory of 3956	6064	cmd.exe	148
PID 6064 wrote to memory of 3956	6064	cmd.exe	148
PID 6032 wrote to memory of 2432	6032	cmd.exe	153
PID 6032 wrote to memory of 2432	6032	cmd.exe	153
PID 2228 wrote to memory of 1512	2228	cmd.exe	154
PID 2228 wrote to memory of 1512	2228	cmd.exe	154
PID 5252 wrote to memory of 5560	5252	cmd.exe	167
PID 5252 wrote to memory of 5560	5252	cmd.exe	167
PID 5572 wrote to memory of 4528	5572	cmd.exe	168
PID 5572 wrote to memory of 4528	5572	cmd.exe	168
PID 2792 wrote to memory of 4712	2792	cmd.exe	169
PID 2792 wrote to memory of 4712	2792	cmd.exe	169
PID 6080 wrote to memory of 864	6080	cmd.exe	170
PID 6080 wrote to memory of 864	6080	cmd.exe	170
PID 5376 wrote to memory of 4496	5376	cmd.exe	171
PID 5376 wrote to memory of 4496	5376	cmd.exe	171
PID 5388 wrote to memory of 4996	5388	cmd.exe	172
PID 5388 wrote to memory of 4996	5388	cmd.exe	172
PID 4832 wrote to memory of 4852	4832	cmd.exe	178
PID 4832 wrote to memory of 4852	4832	cmd.exe	178
PID 5012 wrote to memory of 1160	5012	cmd.exe	179
PID 5012 wrote to memory of 1160	5012	cmd.exe	179
PID 5464 wrote to memory of 2504	5464	cmd.exe	184

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ORDER_INQUIRY002504.vbe"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:976
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\EWGEFS.js"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5472
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Audiodg.js"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
      4⤵
      Blocklisted process makes network request
      Drops startup file
      Adds Run key to start application
      PID:4008
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.js"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4516
  - - C:\Users\Admin\AppData\Local\Temp\orroctl.exe
      "C:\Users\Admin\AppData\Local\Temp\orroctl.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:4940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:912
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3752
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5696
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5284
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:6064
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:1512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:6032
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:2432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5388
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5252
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5572
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:6080
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5376
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5464
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5768
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1136
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5860
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:780
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4044
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3608
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1972
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2956
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3848
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:6076
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4260
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2344
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:2148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4556
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:3260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:736
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2064
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4852
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4892
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4844
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1372
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2944
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4284
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:6132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4672
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4180
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3440
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5236
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3424
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5980
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5500
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3088
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5672
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4932
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1972
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:6032
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5000
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4712
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3880
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4148
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3444
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1908
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2504
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4300
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3940
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:3936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4832
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2616
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1212
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2944
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2160
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3660
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5272
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5448
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5580
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4748
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3168
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3184
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5496
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3272
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3392
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3120
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4460
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4572
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4816
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4952
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5260
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2112
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5464
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5832
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1188
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4124
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3552
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4892
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5212
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4284
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3660
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5860
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2360
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1100
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5640
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5624
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5972
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2980
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Adds Run key to start application
  PID:1340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5788
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:6072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4820
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1924
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2676
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4792
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4400
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2960
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:932
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5848
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3880
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2988
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3500
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2248
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5012
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:632
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5896
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5920
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4976
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1132
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3612
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4044
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5220
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5156
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3748
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2388
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4204
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:6000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1124
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1544
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2152
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4820
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3192
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4372
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5812
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5184
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2956
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4824
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4768
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3128
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5020
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2240
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2768
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3500
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5900
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:6136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3856
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4300
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2320
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:6132
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5212
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4976
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3660
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2964
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2892
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:60

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5476
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2940
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5972
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4308
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4528
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1340
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4216
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4460
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4876
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4548
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2992
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5252
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1016
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4860
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5176
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4928
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:744
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2112
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1516
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1008
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5900
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1048
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4936
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1332
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4384
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2868
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2160
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2264
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4128
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2944
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:6000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1596
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4644
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:320
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4056
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1384
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4216
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1096
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4704
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5952
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2572
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1924
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:624
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4504
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4860
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5440
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4324
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4844
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1136
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4940
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:1008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2084
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5976
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5096
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:736
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2568
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4452
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2852
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5080
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:6000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5500
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2944
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4356
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3352
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4528
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4308
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4332
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1796
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4704
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4460
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4972
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3704
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Audiodg.js

Filesize
283KB

MD5
8dffacf26da035dcda2a5e938e137968

SHA1
c1b032a717d49d6c35fe7281f41b398ed0ccd856

SHA256
a1544f7f62a1d82ed7f7034316a6989796ebc583b071ac7df7054fb1c1fc7261

SHA512
772c92dca2416002113bdf0862a1c1b0e3e7535219679072be0dc7ff2e244f1c9e771add5f216271529bd5a36faaf48e413381faa85d8ce342e086f295fe2c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\EWGEFS.js

Filesize
569KB

MD5
58ad6ce83e888acdfd085c8cb3b7d2d6

SHA1
ea6411fb56d104ab5d716c5d16a9a7bbcfaef5ca

SHA256
dc7d0427f01e02a7752db8ac7aa6f77caf8dc83896b74b3cf6999fcba3288020

SHA512
68b216db2d3a6db40c026e8b69b8ae5fc276700d414bb34f6b2d905164fc0ade17cd2637ad34025c24954e9deb135c7e05fbae7f2a705e3f40d00ced051aa4a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\orroctl.exe

Filesize
65KB

MD5
09456ee3f6fb995f38734e6360162e0e

SHA1
68a1aeb27fb77e4ce30d1f026d3226531824f214

SHA256
4c101eb54963c36718d716009dbb8a87e1d312f087f42c9db900327d791d24e5

SHA512
22fb0dab49f58f5d4934c33456a2c127b675989225e9c5fe054e3126d1ffcbc250fad26d816384281cbb199eae419982e7c43246a9e0b5505b90201e1a1a4016

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.js

Filesize
108KB

MD5
81e632eae9dbfdb1ced86b4654b5d6f4

SHA1
f8e1b936cc9cdb54c53293b3fd3707916087577f

SHA256
09d630cee9fae646c5df300bb4fd31ce7f4785cd81f2d5c6b85446ff4b3aa421

SHA512
d4e7f04c5e4fd48a8b85d351aa6d61358b271e6b22cb8f361b3eb2a2eaa36e69b4bdf654c44992b0af94e6bd3074fd930307bfe122ad1b02fe73923f395dc909

Download Submit
memory/4776-31-0x0000000000980000-0x0000000000997000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads